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Abstract 

We present a new approach to termination analysis of numerical computations in logic programs. 
Traditional approaches fail to analyse them due to non well-foundedness of the integers. We present 
a technique that allows overcoming these difficulties. Our approach is based on transforming a pro- 
Y\ ' gram in a way that allows integrating and extending techniques originally developed for analysis of 

numerical computations in the framework of query-mapping pairs with the well-known framework of 
acceptability. Such an integration not only contributes to the understanding of termination behaviour 
04 ' of numerical computations, but also allows us to perform a correct analysis of such computations 

^ , automatically, by extending previous work on a constraint-based approach to termination. Finally, 

~nI ■ we discuss possible extensions of the technique, including incorporating general term orderings. 

I Keywords: termination analysis, numerical computation. 

o 

1 Introduction 

^ \ One of the important aspects in verifying the correctness of logic programs (as well as 

O ■ functional programs and term rewrite systems) is verification of termination. Due to the 

declarative formulation of programs, the danger of non-termination may be increased. As 
a result, termination analysis received considerable attention in logic programming (see 
e.g. (»Apt et al. 1994' "Bossi et al. 2002'; Bruynooghe et al. 2002" Codish and Taboch 1999' 
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Numerical computations form an essential part of almost any real-world program. Clearly, 
in order for a termination analyser to be of practical use it should contain a mechanism for 
inferring termination of such computations. However, this topic attracted less attention of 
the research community. In this paper we concentrate on automatic termination inference 
for logic programs depending on numerical computations. 

Dershowitz et al. JDershowitz et al. 2001 ) showed that termination of general numeri- 
cal computations, for instance on floating point numbers, may be counter-intuitive, i.e., 
the observed behaviour does not necessarily coincide with the theoretically expected one. 
Moreover, as the following program shows, similar results can be obtained even if the 
built-in predicates of the underlying language are restricted to include "greater than" and 
multiplication only. 
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Consider the following program, that given a positive number x results in a sequence of 
calls p(0.25a;),p((0.25)2a;),... 

p{X)^X>0,Xl is X*0.25,p{Xl). 

If we reason purely in terms of real numbers, we might expect that the computation started 
by p(l.O) will be infinite. However, in practice the goal above terminates with respect to 
this program, since there exists k, such that (0.25)'' is small enough for the comparison 
(0.25)'= >0 to fail. □ 

We discuss these issues in detail in ( [Serebrenik: and De Schreye 2002^ . In the current paper 
we avoid these complications by restricting to integer computations only. 

Next, we illustrate the termination problem for integer computations with the following 
example: 

Example 2 

Consider the following program: 

p{X)^ X <7,X1 isX + l,p{Xl). 

This program terminates for queries p{X), for all integer values of X. □ 

Most of the existing automated approaches to termination analysis for logic programs (" Codish and Taboch 19991 
[Lindenstrauss and Sagiv 1997 ; M esnard and Neume rkel 2001 , Ohlebusch 2001 1 fail to prove 
termination for such examples. The reason is that they are most often based on the notion 
of a level mapping, that is, a function from the set of all possible atoms to the natural 
numbers, which should decrease while traversing the rules. Usually level mappings are de- 
fined to depend on the structure of terms and to ignore constants, making the analysis of 
Example|2limpossible. 

Of course, this can be easily repaired, by considering level mappings that map each nat- 
ural number to itself. In fact, the kernels of two termination analysers for logic programs, 
namely cTI JMesnard 1996llMesnard and Neumerkel 2001t and TerminWeb JCodish and Taboch 1999t . 
rely on abstracting logic programs to CLP(5\^ ) programs, and use the identity level map- 
ping on 5V; in the analysis of the abstract versions of the programs ^ 

Note however that this is insufficient for the analysis of Example^ In fact, there remain 
two problems. First, the program in Example|2lis defined on a (potentially negative) integer 
argument. This means that we need a level mapping which is different from the identity 
function. 

Two approaches for solving this problem are possible. First, one can change the defini- 
tion of the level mapping to map atoms to integers. However, integers are not well-founded. 
To prove termination one should prove that the mapping is to some well-founded subset 
of integers. In the example above (—00,7) forms such a subset with an ordering y, such 
that x> y \f X < y, with respect to the usual ordering on integers. Continuing this line of 
thought one might consider mapping atoms to more general well-founded domains. In fact, 
already in the early days of program analysis (Floyd 1967^ Katz and Manna 1975b general 
well-founded domains were discussed. However, the growing importance of automatic ter- 
mination analysers and requirements of robustness and efficiency stimulated researchers 

' We thank anonymous referees for pointing this link to related work out to us. 



Inference of termination conditions 



3 



to look for more specific instances of well-founded domains, such as natural numbers in 
logic programming and terms in term-rewriting systems. 

The second approach, that we present in the paper, does not require changing the defini- 
tion of level mapping. Indeed, the level mapping as required exists. It maps p{X) to7 — X 
if X <1 and to otherwise. This level mapping decreases while traversing the rule, i.e., 
the size of p{X), 1 — X for X < 7, is greater than the size of p{X\), 6 — X for X <7 and 
for X >1, thus, proving termination. 

A second problem with approaches based on the identity function, as the level mapping 
used on CLP(5V;), is that, even if the program in Example |2] would have been defined on 
natural values of X only, they would still not be able to prove termination. The reason is 
that the natural argument increases under the standard ordering of the natural numbers. 
Such bounded increases (be it of structure-sizes or of numerical values) are not dealt with 
by standard termination analysers. Note that the two approaches presented above also solve 
this second problem. 

The main contribution of this paper is that we provide a transformation - similar to multi- 
ple specialisation ( Winsborough 1992) - that allows us to define level mappings of the form 
illustrated in the second approach above in an automatic way. To do so, we incorporate 
techniques of (IDershowitz et al. 200 It . such as level mapping inference, in the framework 
of the acceptability with respect to a set ( |De Schreye et al. I992 ''Decorte and De Schreye I998| . 
This integration provides not only a better understanding of termination behaviour of in- 
teger computations, but also the possibility to perform the analysis automatically as in 
Decorte et al. JDecorte etal. I999> . 

Moreover, we will also be somewhat more general than (iP ecorte et al. 199 9^. by study- 
ing the problem of termination inference, rather than termination verification. More pre- 
cisely, we will be inferring conditions that, if imposed on the queries, will ensure that the 
queries will terminate. Inference of termination conditions was studied in ( Mesnard 19961 
IMesnard and Neumerkel 20011 IGenaim and Codish~2001j . Unlike termination conditions 
inferred by these approaches, stated in terms of groundedness of arguments, our technique 
produces conditions based on domains of the arguments, as shown in Example|3] 

Example 3 

Extend the program of Example|2lwith the following clause; 

p{X)^ X >7,Xl isX + l,p{Xl). 

This extended program terminates for X <1 and this is the condition we will infer. □ 

The rest of the paper is organised as follows. After making some preliminary remarks, 
we present in Section 3 our transformation — first by means of an example, then more for- 
mally. In Section 4 we discuss more practical issues and present the algorithm implement- 
ing the termination inference. Section 5 contains the results of an experimental evaluation 
of the method. In Section 6 we discuss further extensions, such as proving termination of 
programs depending on numerical computations as well as symbolic ones. We summarise 
our contribution in Section 7, review related work and conclude. 
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2 Preliminaries 

We follow the standard notation for terms and atoms. A query is a finite sequence of atoms. 
Given an atom A, rel{A) denotes the predicate occurring in A. Atomp (Termp) denotes 
the set of all atoms (terms) that can be constructed from the language underlying P. The 
extended Herbrand Base Bp (the extended Herbrand Universe U p) is the quotient set of 
Atomp (Termp) modulo the variant relation. An SLD-tree constructed using the left-to- 
right selection rule of Prolog is called an LD-tree. A goal G LD-terminates for a program 
P, if the LD-tree for (P, G) is finite. 

The following definition is similar to Definition 6.30 ( |Apt 1997) . 

Definition 1 

Let F be a program and p, q be predicates occurring in it. We say that 

• p refers to q in P if there is a clause in P that uses p in its head and q in its body. 

• p depends on q in P and write p ^ q, if (p, q) is in the transitive closure of the 
relation refers to. 

• p and q are mutually recursive and write p 2i g, if p □ q and q^ p. 

The only difference between our definition and the one by Apt ( |Apt 1997) 1 is that we require 
the relation □ to be the transitive closure of the relation refers to, while ( |Apt 1997) requires 
it to be transitive, reflexive closure. Using our definition we call a predicate p recursive if 
p cf.p holds. 

We recall some basic notions, related to termination analysis. A level mapping is a func- 
tion I • |: Bp where 9\[ is the set of the naturals. Similarly, a norm is a function 

ll-lh c^l-^- 

We study termination of programs with respect to sets of queries. The following notion 
is one of the most basic notions in this framework. 

Definition 2 

Let P be a definite program and 5* be a set of atomic queries. The call set, Call{P,S), 
is the set of all atoms A from the extended Herbrand Base Bp, such that a variant of 
^ is a selected atom in some derivation for P U Q}, for some Q E S and under the 
left-to-right selection rule. 

The following definition fSerebrenik and De Schreye 2001^ generalises the notion of ac- 
ceptability with respect to a set ( |De Schreye et al. 1992,|Decorte and De Schreye 1998) by 
extending it to mutual recursion. 

Definition 3 

Let 5 be a set of atomic queries and P a definite program. P is acceptable with respect to 
S if there exists a level mapping | • | such that 

• for any CaJJ(P, 5") 

• for any clause A' ^ B\, . . . ,Bn in P, such that mgu(^, A') ^ 9 exists, 

• for any atom Bi, such that rel{Bi) ~ rel{A) and for any computed answer substitu- 
tion a for ^ (Pi , . . . , Pi-i )9 holds that 

I ^ 1 > I B,Qa I • 

De Schreye et al. ( |De Schreye et al. 1992) characterise LD-termination in terms of accept- 
ability. 
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Theorem 1 {cf. ^De Schreye et al. 1992\ ) 

Let P be a definite program. P is acceptable with respect to a set of atomic queries S if 
and only if P is LD-terminating for all queries in S. 

We also need to introduce notions of rigidity and of interargument relations. Given a 
norm || • || and a term t, Bossi et al. (Boss i et al. 1991> call t rigid with respect to || • || if 
for any substitution a, ||ia|| — Observe that ground terms are rigid with respect to all 
norms. The notion of rigidity is obviously extensible to atoms and level mappings. Interar- 
gument relations have initially been studied by JUUman and Van Gelder 1988IIPlumer 19911 
[Verschaetse and De Schreye 199 It . In this paper we use the definition of (IDecorte et al. 19991 . 

Definition 4 

Let f be a definite program, p/n a. predicate in P. An interargument relation for p/n is a 
relation Rp C jy;". i?p is a valid interargument relation for p/n with respect to a norm || • | 
if and only if for every p{ti,...,tn) E Atomp if P \^ p{ti, . . . ,t„) then 1|, . . . , || in ||) e 
Rp. 

Combining the notions of rigidity, acceptability and interargument relations allows us to 
reason on termination completely at the clause level. 

Theorem 2 (rigid acceptability ( cf. \Decorte et al. 19991 )) 

Let 5* be a set of atomic queries and P a definite program. Let || • || be a norm and, for each 
predicate p in P, let Rp be a valid interargument relation for p with respect to || • ||. If there 
exists a level mapping | • | which is rigid on Call{P, S) such that 

• for any clause H <~ Bi , . . . , Bn E P, and 

• for any atom Bi in its body such that rel{Bi) ~ rel{H), 

• for substitution 9 such that the arguments of the atoms in {Bi , )9 all satisfy 
their associated interargument relations Rbi, - ■ ■ ,RBi_i ■ 

\He\>\B,Q\ 

then P is acceptable with respect to S. 

3 Methodology 

In this section we introduce our methodology using a simple example. In the subsequent 
sections, we formalise it and discuss different extensions. 

Computing a query with respect to the following example results in a sequence of 
calls with oscillating arguments like p(— 2),p(4),p(— 16), . . . and stops if the argument 
is greater than 1000 or smaller than —1000. The treatment is done first on the intuitive 
level. 

Example 4 

We are interested in proving termination of the set of queries {p{z) | z is an integer} with 
respect to the following program: 

p{X)^X> 1,X < 1000,X1 is -X^X,p{X\). 
p{X) ^X < -1,X > -1000,X1 isX *X,p{X\). 
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The direct attempt to define the level mapping of p{X) as X fails, since X can be positive 
as well as negative. Thus, a more complex level mapping should be defined. We start with 
some observations. 

The first clause is applicable if 1 < X < 1000, the second one, if —1000 < X < — 1. 
Thus, termination of p{X) for X < -1000, -1 < X < 1 or X > 1000 is trivial. Moreover, 
if the first clause is appHed and 1 < X < 1000 holds, then either -1000 < XI < -1 or 
XI < -1000 V -1 < XI < 1 VXl > 1000 should hold. Similarly, if the second clause is 
applied and -1000 < X < 1 holds, either 1 < XI < 1000 or XI < -1000 V -1 < XI < 
1 VXl > 1000 should hold. 

We use this observation and split the domain of the argument of p, denoted pi , in three 
parts as following: 

a 1 < PI < 1000 
b -1000<pi<-l 

c pi < -1000 V-1 < PI < iVpi > 1000 

Next we replace the predicate p with three new predicates p^, p^ and p^. We add condi- 
tions before the calls to p to ensure that p^ is called if p{X) is called and 1 < X < 1000 
holds, p^ is called if p{X) is called and -1000 < X < -1 holds and p^ is called if p{X) 
is called and X < -1000 V -1 < X < 1 V X > 1000 holds. The following program is 
obtained: 

p^{X)^X > 1,X < 1000,X1 is - x*x, 

-1000 < XLXl < -l,p^{Xl). 
p^{X)^X > 1,X < 1000,X1 is -x*x, 

(XI < -1000;(-1 <X1,X1 < 1);X1 > 1000),p^(Xl). 
p^{X)^X < -1,X > -1000, XI is X*X, 

1 < XI, XI < 1000,p3(Xl). 
p^{X)^X < -1,X > -1000, XI is x*x, 

(XI < -1000;(-1 < XI, XI < 1);X1 > 1000),p^(Xl). 

Observe that the transformation we performed is a form of multiple specialisation, well- 
known in the context of abstract interpretation ( |Winsborough 19 92). 

Now we define three diiferent level mappings, one for atoms of p^, another one for 
atoms of p^ and the last one for atoms of p^. Let 

1000 -n ifl<«<1000 

otherwise 

1000 + n if-1000<n<-l 

otherwise 



p^{n) I = 

p^{n)\ = 
p^{n)\ = 



We verify acceptability of the transformed program with respect to {p^{n) | 1 < n < 
1000} U {p^{n) I —1000 < n < —1} via the specified level mappings. This implies ter- 
mination of the transformed program with respect to these queries, and thus, termination 
of the original program with respect to {p{z) | z is an integer}. 

For the sake of brevity we discuss only queries of the form p^{n) for 1 < n < 1000. 
Heads of the first and the second clauses can be unified with this query, however, the 
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second clause does not contain calls to predicates mutually recursive with and the only 
such atom in the first clause is p'^(m), where m = —n^. Then, \p^{n) | > \p°{m) \ should 
hold, i.e., 1000 - n > 1000 + m, that is 1000 - n > 1000 - (n > 1 and m = -v?), which 
is true for n> \. 

For queries of the form p^{n), the acceptability condition is reduced to 1000+ n > 
1000 — which is true forn < — 1 . □ 

The intuitive presentation above hints at the main issues to be discussed in the follow- 
ing sections: how the cases such as those above can be extracted from the program, and 
how given the extracted cases, the program should be transformed. Before discussing the 
answers to these questions we present some basic notions. 



3.1 Basic notions 

In this section we formally introduce some notions that further analysis will be based on. 
Recall that the aim of our analysis is to find, given a predicate and a query, a sufficient 
condition for termination of this query with respect to this program. Thus, we need to 
define a notion of a termination condition. We start with a number of auxiliary definitions. 

Given a predicate p, Pi denotes the i-th argument of p and is called argument position 
denominator. 

Definition 5 

Let P be a program, 6" be a set of queries. An argument position i of a predicate p is called 
integer argument position, if for every , . . . , f„) e Call{P, S), ti is an integer. 

Argument position denominators corresponding to integer argument positions will be called 
integer argument position denominators. 

An integer inequality is an atom of one of the following forms Expl > Exp2, Expl < 
Exp2,Expl > Exp2 or Expl < Exp2, where Expl and Exp2 are constructed from integers, 
variables and the four operations of arithmetics on integers. A symbolic inequality over 
the arguments of a predicate p is constructed similarly to an integer inequality. However, 
instead of variables, integer argument positions denominators are used. 

Example 5 

X >0 and F < X + 5 are integer inequalities. Given a predicate p of arity 3, having only 
integer argument positions, pi> Q and P2 <Pi+Pi are symbolic inequalities over the 
arguments of p. □ 

Disjunctions of conjunctions based on integer inequalities are called integer conditions. 
Similarly, disjunctions of conjunctions based on symbolic inequalities over the arguments 
of the same predicate are called symbolic conditions over the integer arguments of this 
predicate. 

Definition 6 

Let p{ti,...,tn) be an atom and let Cp be a symbolic condition over the arguments of p. 
An instance of the condition with respect to an atom, denoted Cp , . . . , is obtained 
by replacing the argument positions denominators with the corresponding arguments, i.e.. 
Pi with ti. 
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Example 6 

Let p{X , Y ,5) be an atom and let Cp be a symbolic condition {p\ > 0) A {p2 < Pi + Pi)- 
Then, Cp{p{X, Y ,5)) is (X > 0) A ( y < X +5). □ 

Now we are ready to define termination condition formally. 

Definition 7 

Let P be a program, and Q be an atomic query. A symbolic condition c^-gj^gj is a termi- 
nation condition for Q if given that Cj-Q^q-^iQ) holds, Q left-terminates with respect to 
P. 

For any integer z a termination condition for p{z) with respect to Examples |2l and |3 
is true, i.e., for any integer z, p{z) terminates with respect to these programs. Clearly, 
more than one termination condition is possible for a given query with respect to a given 
program. For example, termination conditions for p{5) with respect to Example |3l are 
among others, true, p\ <1 and p\ > 0. Analogously, false, pi < 7, pi < 10 are termination 
conditions for p{\\) with respect to Example|3] It should also be noted that a disjunction 
of two termination conditions is always a termination condition. 

Similarly to Theorems ^ and |2]we would like to consider termination with respect to 
sets of atomic queries. Therefore we extend the notion of termination condition to a set 
of queries. This, however, is meaningful only if all the queries of the set have the same 
predicate. We call such a set single predicate set of atomic queries. For a single predicate 
set of atomic queries 5*, rel{S) denotes the predicate of the queries of the set. 

Definition 8 

Let P be a program, and 5" be a single predicate set of atomic queries. A symbolic condition 
'^rel(s) ^ termination condition for S if c^gjj^j is a termination condition for all Q ^ S. 

From the discussion above it follows that a termination condition for S — {p{z) | 2 is an 
integer} with respect to Examples|2]and|4]is true. This is not the case for Example|3l since 
termination is observed only for some queries of 5*, namely p{z), such that z <1. Thus, 

< 7 is a termination condition for S with respect to Example|3l 

We discuss now inferring what values integer arguments can take during traversal of the 
rules, i.e., the "case analysis" performed in Example|3 It provides already the underlying 
intuition — calls of the predicate p'^ are identical to the calls of the predicate p, where c 
holds for its arguments. More formally, we define a notion of a set of adornments. Later 
we specify when it is guard-tuned and we show how such a guard-tuned set of adornments 
can be constructed. 

Definition 9 

Let p be a predicate. The set J4p — {ci Cn} of symbolic conditions over the integer 
arguments of p is called set of adornments forp if Vr=i — true and for all i,j such that 

I < i < j < n, Ci A Cj ~ false. 

A set of adornments partitions the domain for (some of) the integer variables of the 
predicate. Similarly to Example|4] in the examples to come, elements of a set of adornments 
are denoted a, b, c, . . . 
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Example 7 

Example|4] continued. The following are examples of sets of adornments: 

{a,b,c} where a is 1 < pi < 1000, bis - 1000 < pi < -1 
and c is pi < -1000 V-1 <pi < 1 Vpi > 1000. 

and 

{d, e} where d is pi < 100 and e is pi > 100. 

□ 

In the next section we are going to present a transformation, related to the multiple 
specialisation technique. To define it formally we introduce the following definition: 

Definition 10 

Let ^ _Bi , . . . , i?„ be a rule. Bi , . . . , 5^, is called m integer prefix of the rule, if for all 
j, I < j < i < n, Bj is an integer inequality and the only variables in its arguments are 
variables of H . Bi Bi is called the maximal integer prefix of the rule, if it is an integer 
prefix and Bi,...,Bi, S^+i is not an integer prefix. 

Since an integer prefix constrains only variables appearing in the head of a clause, there 
exists a symbolic condition over the arguments of the predicate of the head, such that the 
integer prefix is its instance with respect to the head. In general, this symbolic condition is 
not necessarily unique. 

Example 8 

Consider the following program: p{X , Y, F)^ Y > 5 - The only integer prefix of this rule 
is F > 5. There are two symbolic conditions over the arguments of p, p2 > 5 and p^ > 5, 
such that F > 5 is their instance with respect to p{X, F, F). □ 

In order to guarantee the uniqueness of such symbolic conditions we require integer ar- 
gument positions in the heads of the rules to be occupied by distinct variables. For the sake 
of simplicity we assume all argument positions in the heads of the rules to be occupied by 
distinct variables. Apt et al. ( |Apt et al. 1994^ call such a rule homogeneous. Analogously, a 
logic program is called homogeneous if all its clauses are homogeneous. Programs can be 
easily rewritten to a homogeneous form (see l |Apt et al. 1994^ ). In the following we assume 
that all programs are homogeneous. 

3.2 Program transformation 

The next question that should be answered is how the program should be transformed given 
a set of adornments. After this transformation , . . . , X„) will behave with respect 

to the transformed program exactly as p{Xi,...,Xn) does, for all calls that satisfy the 
condition c. Intuitively, we replace each call to the predicate p in the original program by 
a number of possible calls in the transformed one. 

Given a program P and a set of possible adornments J4 = UpeP '^he transformation 
is performed in a number of steps. Below we use Example |2] as a running example to 
illustrate the different steps. Recall that it consists of only one clause 

p{X) ^ X <l,Xl isX + l,p{Xl). 
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As set of adornments we use 

— {a, b}, where a is pi < 7 and b is pi > 7. 

1. For each clause r in P and for each call p(ti,...,t„) to a recursive predicate p 
occurring in r add VcGj?p . . . , tn)) before p{ti,. . . , tn). By Definition |9l the 
disjunction is true, thus, the transformed program is equivalent to the original one. 
In the example, the clause is transformed to 

p{X) ^ X <1 ,X\ is X + 1,{X\ <7; XI >7),p(Xl). 

2. For each clause, such that the head of the clause, say . . . , t„), has a recursive 
predicate p, add VcGj?p c(p(ti , . . . , t„)) as the first subgoal in its body. As for the 
previous step, the introduced call is equivalent to true, so that the transformation is 
obviously correct. In the example, we obtain: 

p{X)^{X <1; X>7),X<7, 

XlisX + l,(Xl <7; XI >7),p(Xl). 

3. Next, moving to an alternative procedural interpretation of disjunction, for each 
clause in which we introduced a disjunction in one of the previous two steps, and for 
each such introduced disjunction \J cea.p c{p{t\, t„)) we split these disjunctions, 
introducing a separate clause for each disjunct. Thus, we apply the transformation 

H ^ Bi, . . . ,{Ai ; . . . ; Ak),- ■ ■ ,Bn. 

to 

H ^ Bi, . . . ,Ai, . . . ,Bn- 

H ^ Bi, . . . ,A2, ■ ■ ■ ,Bn. 



H <— Bi, . . . ,Ak,- ■ ■ ,Bn- 

to each disjunction introduced in steps 1 and 2. 
For our running example, we obtain four clauses: 

p(X) ^X <7,X <7,X1 isX + l,Xl <7,p(Xl). 
p(X) ^X <7,X <7,XlisX + l,Xl >7,p(Xl). 
p(X) ^X >7,X <7,XlisX + l,Xl <7,p(Xl). 
p(X) <-X >7,X <7,XlisX + l,Xl >7,p(Xl). 

Note that, although this transformation is logically correct, it is not correct for Pro- 
log programs with non-logical features. For instance, in the presence of "cut", it may 
produce a different computed answer set. Also, in the context of "read" or "write" 
calls, the procedural behaviour may become very different. However, for purely logi- 
cal programs with integer computations, both the declarative semantics and the com- 
puted answer semantics are preserved. Likewise, the termination properties are also 
preserved. Indeed, the transformation described can be seen as a repeated unfolding 
of ; using the following clauses: 

;(X,y)^X. 

;(x,y)^ y. 
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It is well-known that unfolding cannot introduce infinite derivations JBossi and Cocco 1994> . 
On the other hand, an infinite derivation of the original program can be easily mim- 
icked by the transformed program. 

From here on we will restrict our attention to purely logical programs, augmented 
with integer arithmetic. To prepare the next step in the transformation, note that, in 
the program resulting from step 3, for each rule r and for each recursive predicate p: 

• if a callp(ii , . . . , t„) occurs in r, then it is immediately preceded by some c{p{ti, 

• if an atom p{ti,...,tn) occurs as the head of r, then it is immediately followed 
by some c(p(ti , . . . , t„)). 

Moreover, since the elements J4.p partition the domain (see Definition|9jl, conjuncts 
like Ci{p{ti,...,t„)),p{ti,...,tn) and Cj{p{ti,. . . ,tn)),p{ti,. . . ,tn) for i ^j, are 
mutually exclusive, as well as the initial parts of the rules, like 

p{ti,...,tn) <— Cj(p(ii,...,f„)) andp{ti,...,t„) <— Cj , . . . , 

i y^j. This means that we can now safely rename the different cases apart. 

4. Replace each occurrence of c (p ( ti , . . . , i„ ) ) , p ( ti , . . . , t„ ) in the body of the clause 
with c{p{ti , . . . , tn)) , p'^ {ti , . . . , tn) and each occurrence of a rule 

p{ti,...,t„) <-~ c{p{ti,...,t„)),Bi,...,B„ 
with a corresponding rule 

p''{ti,...,t„) ^ c{p{ti,...,t„)),Bi,...,B„. 

In our example we get: 

p^{X) ^ X <7,X <7,Xl isX + l,Xl<7,p^{Xl). 
p^{X)^ X <7,X <7,X1 isX + l,Xl >7,p^{Xl). 
p^{X)<~X>7,X <7,X1 isX + l,Xl <7,p^{Xl). 
p^{X) ^ X >7,X <7,Xl isX + l,Xl>7,p'°{Xl). 

Because of the arguments presented above, the renaming is obviously correct, in the 
sense that the LD-trees that exist for the given program and for the renamed program 
are identical, except for the names of the predicates and for a number of failing 1- 
step derivations (due to entering clauses that fail in their guard in the given program). 
As a result, both the semantics (up to renaming) and the termination behaviour of 
the program are preserved. 

5. Remove all rules with a maximal integer prefix which is inconsistent, and remove 
from the bodies of the remaining clauses all subgoals that are preceded by an in- 
consistent conjunction of inequalities. In the example, both rules defining p^ are 
eliminated and we obtain: 

p^{X)^X <7,X <7,X1 isX + 1,X1 <7,p^{Xl). 
p^{X)^ X <7,X <7,X1 isX + l,Xl >7,p^{Xl). 

Performing this step requires verifying the consistency of a set of constraints, a task 
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that might be computationally expensive. Depending on the constraints the imple- 
mentation of our technique is supposed to deal with, the programmer can either 
opt for more restricted but potentially faster solvers, such as linear rational solver 
JHolzbaur 1995^ . or for more powerful but potentially slower ones, such as mixed 
integer programminging solver dlLOG 200 1> . 
6. Replace each rule 

p''{ti,...,t„) ^ c(p(ii,...,i„)),5i,...,5„ 

by a rule 

p''{ti,...,t„) ^ Bl,...,Bn- 

In the example we obtain: 

p^{X)^ X <7,X1 isX + l,Xl <7,p^{Xl)- 
p^{X)^X <7,XlisX + l,Xl >7,p^iXl)- 

which is the adorned program, (p{^-^} in our case). Note that this last step is only 
correct if we also transform the set of original queries. Namely, given a single predi- 
cate set of original atomic queries S for P and a set of adornments M = Upep the 
corresponding set of queries considered for is 5^ = { ci ( Q ) A Q , . . . , c„ ( Q ) A 
Q""- I Q e S',{ci,...,c„} = -J^j-eJ(Q)}. where Q" denotes p''{t\,...,tn) if Q is 
p{ti^ . . . ,tn). In our running example the set of queries is {z <7 Ap^{z),z >7A 
p^{z) I z is an integer}. 

Before stating our results formally we illustrate the transformation by a second example. 
Example 9 

Example]?] continued. With the first set of adornments from Example0we 

obtain 

p^{X)^ X >1,X < 1000, XI is -X^X, 

-1000 < XI, XI < -l,p°{Xl). 
p^{X)^X>\,X <\000,X\is -X*X, 

(XI < -1000;(-1 <X1,X1 < 1);X1 > 1000),p^(Xl). 
p^{X)^X < -1,X > -1000, XI is X*X, 

1 < XI, XI < 1000,p3(Xl). 
p'='(X) ^X < -1,X > -1000, XI is x*x, 

(XI < -1000;(-1 < XI, XI < 1);X1 > 1000),p^(Xl). 

The set of queries to be considered is 
{ 

z > 1 A 2 < 1000 A p^(z), 
z > -1000 A 2 < -1 A p'°{z), 
{z < -1000 V (2 >-lA2<l)Vz> 1000) Ap^(2) 
I z is an integer 

} 
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If the second set of adornments is used, the program pi'-'-^} is obtained: 

p^{X)'-X> \,X < 1000,X1 is -X*X,Xl < 100,j5*^(Xl). 
p^{X)^X > 1,X < 1000,X1 is -X*X,Xl < 100,p*^(Xl). 
p^{X)^X < -1,X > -1000,XlisX*X,Xl < 100,p*^(Xl). 
p^{X)^X < -1,X > -1000,XlisX*X,Xl > 100,p^(Xl). 

Analogously, the following is the set of the corresponding queries 

{z < 100 A p'^{z),z> 100 A p^{z) I 2 is an integer} 

□ 

Formally, the following lemma holds: 
Lemma 1 

Let P be a definite pure logical program with integer computations, let Q be an atomic 
query, let ;? = UAp be a set of adornments and let c be an adornment in ^j-qI^^ q-^ ■ Let be 
a program obtained as described above with respect to A . Then, c is a termination condition 
for Q with respect to P if and only if LD-terminates with respect io c{Q) f\ . 

Proof 

The construction of implies that the LD-tree of c{Q) /\ Q"^ with respect to P^ is 
isomorphic to the LD-tree of c{Q) f\ Q with respect to P, implying the theorem. □ 

Again, in practice we do not prove termination of a single query, but of a single pred- 
icate set of queries. Furthermore, recalling that a disjunction of termination conditions is 
a termination condition itself we can generalise our lemma to disjunctions of adornments. 
Taking these two considerations into account, the following theorem holds. 

Theorem 3 

Let P be a definite pure logical program with integer computations, let 5" be a single 
predicate set of atomic queries, let ~ U.^p be a set of adornments and let ci , . . . , c,j be 
adornments in ^j-Qif^gy Let P^ be a program obtained as described above with respect to 
J? . Then, ci V . . . V c„ is a termination condition for S with respect to P if and only if P^ 
LD-terminates with respect to {ci (Q) A Q''' , • • • , Cn((3) A Q''" | Q e S]. 

Proof 

Immediately from Lemma[l]and the preceding observations. □ 

The goal of the transformation presented is, given a program and a partition of the do- 
main, to generate a program having separate clauses for each one of the cases. Clearly, 
this may (and usually will) increase the number of clauses. Each clause can be replaced 
by maximum c"+' new clauses, were c is a number of adornments and n is a number of 
recursive body subgoals. Thus, the size of the transformed program doesn't exceed 

rxc"+', (1) 

where r is the size of the original one. This may seem a problematically large increase, 
however, the number of recursive body atoms (depending on numerical arguments) in nu- 
merical programs is usually small. 
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Since the transformation preserves termination, acceptability of the transformed pro- 
gram implies termination of the original program. In the next section we will see that hav- 
ing separate clauses for different cases allows us to define less sophisticated level-mappings 
for proving termination. Such level-mappings can be constructed automatically, and thus, 
play a key role in automation of the approach. 

4 Generating adornments, level mappings and termination constraints 

In the previous section we have shown the transformation that allows reasoning on ter- 
mination of the numerical computations in the framework of acceptability with respect to 
a set of queries. In this section we discuss how adornments can be generated, how level 
mappings can be proposed and which termination conditions finally turn up. 

4.1 Guard-tuned sets of adornments 

In Example Q we have seen two different sets of adornments. Both of them are valid ac- 
cording to Definition|9] However, recalling p{3 b,c} ^jj^j p{cl,e} shown in Example|9] 
we conclude that {a,b,c} is in some sense preferable to {d,e}. Observe that does 
not only have two mutually recursive predicates, as /'{^ ^.c} (joes, but also self-loops on 
one of the predicates. To distinguish between "better" and "worse" sets of adornments we 
define guard-tuned sets of adornments. 

Intuitively, a set of adornments of a predicate p is guard-tuned if it is based on "subcases" 
of maximal integer prefixes. 

Definition 11 

Let P be a homogeneous program, let p be a predicate in P. A set of adornments 
is called guard-tuned if for every A <E J4.p and for every rule r ^ P, defining p, with the 
symbolic condition c corresponding to its maximal integer prefix, either c AA — false or 
cAA = A holds. 

Example 10 

The first set of adornments, presented in Example^ is guard-tuned while the second one 
is not guard-tuned. □ 

ExamplesfTlandFTOIsuggest the following way of constructing a guard-tuned set of adorn- 
ments. First, we collect the symbolic conditions, corresponding to the maximal integer 
prefixes of the rules defining a predicate p (we denote this set Cp). Let Cp be {ci, . . . , c„}. 
Then we define J?p to be the set of all conjunctions A"^j di, where di is either q or -ic^. 
Computing Ap might be exponential in the number of elements of Cp, i.e., in the number 
of maximal integer prefixes. The number of integer prefixes is bounded by the number of 
clauses. Thus, recalling O, the upper bound on the size of the transformed program is 
r X 2^("+'\ i.e., it is exponential in the number of clauses r and in a number of recursive 
subgoals n. However, again our experience suggests that numerical parts of real-world 
programs are usually relatively small and depend on one or two different integer prefixes. 
Analogously, clauses having more than two recursive body subgoals are highly excep- 
tional. Therefore, we conclude that in practice the size of the transformed program is not 
problematic. 
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We claim that the constructed set is always a guard-tuned set of adornments. Before 
stating this formally, consider the following example. 

Example 11 

Consider the following program. 

r{X)^X>5. 
r{X)^X> 10,r(X). 

Then, Cr = {n > 5, n > 10}. The following conjunctions can be constructed from the 
elements of Cp and their negations: {n > 5 A n > 10, n > 5 A ^(n > 10), -i(ri > 5) A 
n > 10, -i(ri > 5) A -i(n > 10)}. After simplifying and removing inconsistencies Jir = 

{n > lO,n > 5 An < lO,n < 5}. □ 

Lemma 2 

Let P be a program, p be a predicate in P and JAp be constructed as described. Then is 
a guard- tuned set of adornments. 

Proof 

The proof is done by checking the definitions. 

1 . Let ai , a2 G and ai ^ ai. Then, there exists Ci€ Cp, such that a\ = di A . . . A A 
...Adn and 02 = di A . . . A -ic^ A . . . A d„. Thus, ai A 02 = false. 

2. By definition of J4p, Va-e^^ ai = true. Thus, Jip is a set of adornments. 

3. Let a E .^p be an adornment and let c be a symbolic condition corresponding to the 
maximal integer prefix of a rule. By definition of Cp, c G Cp. Thus, either c is one 
of the conjuncts of a or -ic is one of the conjuncts of a. In the first case, cAa = a. 
In the second case c A a — c A (-ic) = false. Therefore, J4.p is a guard-tuned set of 
adornments. 

■ 

From here on we assume that all sets of adornments are guard-tuned. 

4.2 How to define a level mapping. 

One of the questions that should be answered is how the level mappings should be gener- 
ated automatically. Clearly, one cannot expect automatically defined level mappings to be 
powerful enough to prove termination of all terminating examples. In general we cannot 
hope but for a good guess. 

The problem with level mappings is that they should reflect changes on possibly neg- 
ative arguments and remain non-negative at the same time. We also like to remain in the 
framework of level mappings on atoms defined as linear combinations of sizes of their 
arguments ('Bossi et al. 19941 . We solve this problem by defining different level mappings 
for different adorned versions of the predicate. The major observation underlying the tech- 
nique presented in this subsection is that if pi > p2 appears in the adornment of a recursive 
clause, then for each call to this adorned predicate pi — p2 will be positive, and thus, can 
be used for defining a level mapping. On the other hand, pi < p2 can always be interpreted 
as p2 > pi - These observations form a basis for definition of a primitive level mapping. 
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Definition 12 

Let p'^ be an adorned predicate. The primitive level mapping, \ ■ \P^, is defined as 

• if c is i?i p E2, where E\ and E2 are expressions and p is either > or > then 

I c(. , ^^pr ( {Ei-E2)(ti,...,tn) if Ei{tu...,tn)p E2{tu...,tn) 

\p (t,,...,i„)l^ = l Q ^^^^^^.^^ 

• if c is i?i p E2, where Ei and E2 are expressions and p is either < or < then 

I cf. , Mpr ( {E2-Ei){ti,...,tn) if El{tu...,tn)p E2itu...,tn) 

\p (tl,...,i„)|^ = | Q ^^^^^^.^^ 

• Otherwise, 

\p%tu...,tn)\P''=0- 

If more than one conjunct appears in the adornment, the level mapping is defined as a 
Unear combination of primitive level mappings corresponding to the conjuncts. 

Definition 13 

Let pCiA...Ac„ adorned predicate such that each Ci is E^p'^Ej for some expressions 

El and E2 and p* is either > or >. Let , . . . , be natural numbers. Then, a level 
mapping | • | satisfying 

i 

is called a natural level mapping. 
Example 12 

The level mappings used in Example 0] are natural level mappings such that Wp[>i = 
Wpi<-i = 0, Wpi<iooo — Wpj>_iooo = 1- We have seen that these level mappings are pow- 
erful enough to prove termination. □ 

The definition of natural level mapping implies that if c is a disjunction, it is ignored. 
The reason for doing so is that disjunctions are introduced only as negations of symbolic 
constraints corresponding to maximal integer prefixes of the rules. Thus, they signify that 
some rule cannot be applied, and can be ignored. 

Example 13 

Example 13 continued. Recalling that c denotes pi < — 1000 V — 1 < pi < IV pi > 1000 
the following holds for any integer n, \ p^{n) =0. □ 

Of course, if the original program already contains disjunctions of numerical constraints, 
then we transform it in a preprocessing to eliminate the disjunctions. 

As the following example illustrates, natural level mappings gain their power from the 
fact that the set of adornments used is guard-tuned. 
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Example 14 

In Example Q we have seen two different sets of adornments. We have seen in Example |4] 
that if a guard-tuned set of adornments is chosen the natural level mapping is powerful 
enough to prove acceptability and, thus, termination. If a non guard-tuned set of adorn- 
ments is chosen, the second program of Example|9]is obtained. Then, a following natural 
level mapping is defined (for some natural numbers Wp, <ioo and Wpj>ioo): 



100 -X ifX<100 

otherwise 

X-100 ifX>100 

otherwise 



\p^{X)\ = Wpi<ioo* 

\p^{X)\ = Wpi>ioo* 

Consider the following clause. 

p'^{X)'-X> 1,X < 1000,X1 is -X*X,Xl < lOO,p^{Xl). 

In order to prove acceptability we have to show that the size of the call to p^ (X) is greater 
than the size of the corresponding call to p^{Xl). If the first argument x at the call to 
p'^{X) is greater than 1 and less than 10, the acceptability decrease requires Wp|<ioo(100 — 
x) > Wp,<ioo(100 + x^), contradicting a; > 1 and Wpj<ioo being a natural number. Thus, 
acceptability cannot be proved with natural level mappings. □ 

The approach of JDecorte et al. 1999t defines symbolic counterparts of the level map- 
pings and infers the values of the coefficients by solving a system of constraints. Intuitively, 
instead of considering Wc^ 's as given coefficients, they are regarded as variables. More for- 
mally, similarly to JDecorte et al. 1999t . we introduce the following notion. 

Definition 14 

Let be an adorned predicate. A symbolic counterpart of a natural level mapping 

is an expression: 

i 

where the 's are symbols, associated to a predicate p^^ a...ac„ 

The intuition behind the symbolic counterpart of a natural level mapping is that natural 
level mappings are instances of it. Therefore, we also require Wc > to hold for any 
constraint c. 

Example 15 

Example^] continued. Recalling that a stands for 1 < pi < 1000, a symbolic counterpart 
of a natural level mapping forp^{n) is Wp,>i{n -\) + Wp i<iooo(1000 — n). □ 

In order to verify the rigid acceptability condition (Theorem|2li interargument relations 
may be required as well. Interargument relations are usually represented as saying that a 
weighted sum of sizes of some arguments (with respect to a given norm) is greater or equal 
to a weighted sum of sizes of other arguments (see e.g. JPliimer 19 90*)). In the numerical 
case these sizes should be replaced with expressions as used in Definitional Observe 
that for simpler examples no interargument relations are needed. Symbolic counterparts 
of norms and interargument relations can be defined analogously to Definition In the 
next subsection we discuss how the symbolic counterparts are used to infer termination 
conditions. 
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4.3 Inferring termination constraints 

In this section, we combine the steps studied so far into an algorithm that infers termination 
conditions. The program transformation, described in Section 13.21 impHes that a trivial 
termination condition can be computed as a disjunction of the adornments corresponding 
to the predicates that can be completely unfolded, i.e., to the predicates that do not depend 
directly or indirectly on recursive predicates. More formally we can draw the following 
corollary from Theorem|3l 

Corollary 1 

Let P be a program, let S' be a single predicate set of atomic queries and let J? be a set of 
adornments for reJ(S'). Let = {c I c G J? ,for all g such thatreJ(;S)'^ □ q: g is not recursive 
inP^ }. Then VcgA c is a termination condition for S with respect to P. 

Proof 

By definition of A, for all Q £ S, LD-terminates with respect to {c{Q) A Q'^ \ c e A}. 
Thus, by Theorem|3] VceA c is a termination condition for S with respect to P. ■ 

Example 16 

The termination condition constructed according to Corollary [2 for Example 0]is c, i.e., 

(pi < -1000) V (-1 < Pi < 1) V (pi > 1000). □ 

In general, the termination condition is constructed as a disjunction of two conditions: 
cond\ for non-recursive cases, according to Corollary [fl and cond2, for recursive cases. 
The later condition is initialised to be ^condi and further refined by adding constraints 
obtained from the rigid acceptability condition, as in ( IDecorte et al. 199% ^. The algorithm 
is sketched in Figure[2 

Termination inference is inspired by the constraints-based approach of Decorte et al. <Decorte et al. 1999t 
Similarly to their work we start by constructing symbolic counterparts of the level map- 
pings (Definition^ and interargument relations, and construct conditions following from 
rigid acceptability (Theorem|3 and validity of interargument relations. Unlike their work 
in our case no rigidity constraints are needed (since integer arguments are ground and ob- 
viously rigid) and norms are fixed. Thus, the constraints system turns out to be simpler and 
better suited for automation. Finally, the conditions constructed are solved with respect 
to the symbolic variables (Wc/s). In Example II 71 below we are going to see that rigid 
acceptability will be implied by the following constraint (L): 

W,,^,,{X-Y)>W,,y,,{{X-Y)-Y), 

that is Wq^^q2 Y > should hold. In both approaches Wq^yq2 > is required to hold. At 
this point the approach of ( Decorte et al. 1999t . interpreting y as a norm of arguments 
(i.e., y is a natural number), will conclude W^gj>g, > 0. In our case, we do not know 
a priori that F is a natural number. Therefore, we would infer from Y, that F > and 

Wqt>q2 > 0. ^™ 

In general, given the system of constraints inferred by JDecorte et al. 199^ . we distin- 
guish between the following cases: 

^ Any other technique proving termination and able to provide some constraint that, if satisfied, implies termi- 
nation can be used instead of iDecorte et al. 1999j . 
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• There is no solution. We report condi as a termination condition (Corollary^. Ob- 
serve that when the algorithm reports the termination condition to be false, it suspects 
the possibility of non-termination. 

• There is a solution for any values of integer variables. Namely, there are natural level 
mappings and interargument relations that prove termination of the program for any 
values of integer variables. Termination condition in this case is, thus, true. 

• There is a solution for some values of integer variables. In other words, the solution 
constrains integer variables appearing in the clauses. Two cases can be distinguished: 

— Integer variables constrained appear in the heads of the clauses. Then, constraints 
on these variables can be regarded as constraints on the arguments of the queries 
posed. In this case termination can be shown if these constraints are fulfilled. 

— Integer variables constrained do not appear in the heads of the clauses. In this 
case our methodology is too weak to obtain some information implying termina- 
tion of the queries. The best we can do is to report termination for condi. 



Let P be a homogeneous program, let S be a single predicate set of atomic queries and let q 
bereJ(S). 

1. For each p ~ q construct a guard-tuned set Sip . (Section f4.lt 

2. Adorn P with respect to q and Up~(j -^p • (Section f3.2> 

3. 'LeX A = {c\ c ^ Aq,for all p such that q'^ ^ p : p is not recursive in P^}. 
Let condi = VceA Let cond2 = V ceHg.c^A 

4. LetS"be{c(0)A(3'= | c <E Jig, c ^ A, c{Q) A Q'' e S"}. 

5. Define the symbolic counterparts of level mappings and interargument relations. (Sec- 
tion]^ 

6. Let Z be a set of constraints on the symbolic variables, following from rigid accept- 
ability of S' with respect to P^ and validity of interargument relations. 

7. Solve Z with respect to the symbolic variables. 

(a) Solution of E doesn't produce extra constraints on variables. 

Report termination for true. 

(b) Solution of £ produces extra constraints on integer variables, appearing in the 
heads of the clauses. 

Conjunct these constraints to termination condition cond2- 

Report termination for cond\ V condi- 

(c) There is no solution or integer variables, constrained by the solution of E, do not 
appear in the heads of the clauses 

Report termination for condi . 
Fig. 1. Termination Inference Algorithm 



Example 17 

Consider the following program. 

q{X, Y)^X> Y,Z isX-Y, q{Z , ¥)■ 
We look for integer values of X and Y such that q{X, Y) terminates. First, the algorithm 
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infers adornments. In our case {a, b} are inferred, such that a denotes q\ > qi and b denotes 
qi < 12- 

The adorned version of this program is 

q^{X, Y)^X> Y,ZisX-Y,Z> Y,q^iZ, Y)- 
q^{X,Y)^ X > Y,ZisX-Y,Z< Y,q^{Z,Yy 

The corresponding set of queries is 

{x > y A q^{x, y),x < y A q°{x, y) \ x,y are integers}- 

There is no clause defining q^. By Corollary^ b, i.e., qi < 52 is a termination condition. 
This is the one we denoted condi. The termination condition for q^, denoted cond2, is 
initialised to be qi> qi- The symbolic counterpart of a natural level mapping is 



I q^{X,Y)\^Wg,>,,* 



X-Y if X>Y 
otherwise 



The set of constraints E implied by rigid acceptability is: 

W,,>,,{X-Y)>W,,^,,{{X- Y)-Y), (2) 

that is Wq^>q^_ Y >Q should hold. Since Wq^>q^_ > 0, 1" > and VFg[>,, > should hold. 
Variable Y appears in the head of the clause, i.e., F > can be viewed as a constraint 
on the query. We update cond2 to be {qi > qj) A{q2 > 0) and report termination for q\ < 
92V(gi > ©Ag2 >0). □ 

Formally the following theorem holds. 

Theorem 4 

Let P be a homogeneous pure logical program with integer computation, let 5" be a single 
predicate set of atomic queries and let Algo be the algorithm presented in Figure^ Then 
the following holds: 

• Algo (P, 5*) terminates; 

• Let c be a symbolic condition returned by Algo [P ,S). Then c is a termination con- 
dition for 5". 



Proof 

• Termination of Algo(P,iS') follows from termination of its steps. Termination of 
steps 1 and 2 follows from the presentation of these transformations in Sections [4. II 
and 13. 21 respectively. Termination of steps 3-7 is obvious. 

• Partial correctness follows from the correctness of transformations and the corre- 
sponding result of ( Decorte et al. 19991 . Correctness of step 1 is established by Lemma|2l 
of step 2 by Theorem|3l For step 4 observe that termination for queries in S^\S' is 
obvious by choice of A. Correctness of steps 6 and 7 follows from the corresponding 
result of JDecorte et al. 1999> . 



In ExamplefTTlthe termination condition inferred by our algorithm was optimal, i.e., any 
other termination condition implies it. However, undecidability of the termination problem 
impUes that no automatic tool can always guarantee optimality. 
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Example 18 

Consider the following program. 

q{X,Y)^X> Y,Z isX~ Y,Ylis Y + l,q{Z,Yl)- 

We would like to study termination of this program with respect to {q{zi,Z2) \ z\,Z2 are 
integers}. Our algorithm infers the following termination condition: qi < qiM {q\ > qi /\ 
qi > 0). This is a correct termination condition, but it is not optimal as q{z\ , Z2) terminates, 
in fact, for all values of zi and Z2, i.e., the optimal termination condition is true. □ 

5 Experimental evaluation 

The algorithm presented in Figuref^was integrated in the system implementing the constraint- 
based approach of ( tPecorte et al. 1999t . As a preliminary step of our analysis, given a 
program and a set of atomic queries, the call set has to be computed. To do so, the type in- 
ference technique of Janssens and Bruynooghe ( Janssens and Bruynooghe 1992| l was used. 
We opted for a very simple type inference technique that provides us only with information 
whether some argument is integer or not. More refined analysis can be used. For instance, 
the technique presented in ("Janss ens et al. 1994ll would have allowed us to know whether 
some numerical argument belongs to a certain interval. Alternatively, the integer intervals 
domain fo Cousot and Cousot JCousot and Cousot 19761 ICousot and Cousot 1977> might 
have been used. 

We have tested our system on a number of examples. First, we considered examples 
from two textbooks chapters dedicated to programming with arithmetic, namely. Chapter 
8 of Sterling and Shapiro l^terling and Shapiro 1994 1 and Chapter 9 of Apt ( |Apt 1997| l. 
These results are summarised in Tables and |2l respectively. We can prove termination 
of all the examples presented for all possible values of the integer arguments, that is, the 
termination condition inferred is true. Next, we've collected a number of programs from 
different sources. Table|3]presents timings and results for these programs. Again, termina- 
tion of almost all programs can be shown for all possible values of the integer arguments. 
We believe that the reason for this is that most textbooks authors prefer to write programs 
ensuring termination. Finally, Table0]demonstrates some of the termination conditions in- 
ferred by our system. We can summarise our results by saying that the system turned out 
to be powerful enough to analyse correctly a broad spectrum of programs, while the time 
spent on the analysis never exceeded 0.20 seconds. In fact, for 90% of the programs results 
were obtained in 0. 10 seconds or less. 

The core part of the implementation was done in SICStus Prolog (ISICS 2002t . type in- 
ference of Janssens and Bruynooghe ( [Janssens and Bruynooghe 1992t was implemented in 
MasterProLog (IT Masters 20001. Tests were performed on SUN SPARC Ultra-60, model 
2360. The SPECint_95 and SPECfp.95 ratings for this machine are 16.10 and 29.50, re- 
spectively. 

In Tables [Q^the following abbreviations are used: 

• Ref: reference to the program; 

• Name: name of the program; 

• Queries: single predicate set of atomic queries of interest, where the arguments are 
denoted 
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Table 1. Examples of Sterling and Shapiro 



Ref 


Queries 


Time 


8.1 


greatest_common_divisor(«, i, v) 


0.03 


8.2 


factorial(i, v) 


0.02 


8.3 


factorial(j, v) 


0.03 


8.4 


factorial(i, v) 


0.03 


8.5 


between(j, i, v) 


0.03 


8.6a 


suinlist(ii, v) 


0.00 


8.6b 


sumlist(H, v) 


0.00 


8.7a 


inner_product(/j, li, v) 


0.00 


8.7b 


inner_product(/i, li, v) 


0.01 


8.8 


area(/p, v) 


0.03 


8.9 


maxlist(/i, v) 


0.02 


8.10 


length(«;, li) 


0.01 


8.11 


Iength(/i, v) 


0.01 


8.12 


range(i, i, v) 


0.03 



Table 2. Examples of Apt 



Name 


Queries 


Time 


between 


between(i, i, v) 


0.02 


delete 


delete (i, i, v) 


0.04 


factorial 


fact(i, v) 


0.01 


in_tree 


in_tree(i, t) 


0.01 


insert 


insert(i, t, v) 


0.01 


length 1 


length(fe, v) 


0.00 


maximum 


maximum(Zi, v) 


0.00 


ordered 


ordered(H) 


0.01 


quicksort 


qs(li, v) 


0.10 


quicksorLacc 


qs_acc(K, v) 


0.10 


quicksort-dl 


qs_dl(Zi, v) 


0.13 


search_tree 


isjearch_tree(t) 


0.06 


treejninimum 


minimum(t, v) 


0.01 



— c, if the argument is a character; 

— i, if the argument is an integer; 

— li, if the argument is a Ust of integers; 

— Ip, if the argument is a list of pairs of integers; 

— t, if the argument is a binary tree, containing integers; 

— V, if the argument is a variable; 

• Time: time (in seconds) needed to analyse the example; 
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Table 3. Various examples 



Name 


Ref 


Queries 


Time 


T 


dldf 


tBratko 1986') 


depthfirst2(c, v, i) 


0.03 


T 


exp 


JCoelho and Cotta 1988» 


exp(i, i, v) 


0.07 


N+ 


fib 


I'Bueno et al. 1994) 


fib(i, v) 


0.16 


T 


fib 


(O'Keefe 1990l 


fib(i, v) 


0.05 


T* 


forwardfib 


JBratko 19861 


fib3(i, v) 


0.02 


T 


money 


JBueno et al. 1994» 


money(t;, v, v, v. 


0.20 


T 






V, V, V, v) 






oscillate 


Example|4| 


Pit) 


0.07 


T 


p32 


JHett2001» 


gcd(j, i, v) 


0.03 


T 


p33 


JHett2001» 


coprime(i, i) 


0.05 


T 


p34 


CHett 2001) 


totient_phi(i, v) 


0.14 


T 


primes 


iClocksin and Mellish 198H 


primes(i, v) 


0.08 


T 


pythag 


JClocksin and Mellish 198H 


pythag(t;, v, v) 


0.05 


N+ 


r 


JDershowitz et al. 200 U 


v) 


0.01 


T 


triangle 


JMcDonald and Yazdani 19901 


triangle(i, v) 


0.03 


N+ 



Table 4. Examples of inferring termination conditions 



Name 


Ref 


Queries 


Time 


Condition 


q 


Examplell7l 


q(i, i) 


0.04 


91 < g2V(gi > g2Ag2 >0) 


q 


Example [m 


q(i, i) 


0.05 


91 < 92 V (91 > 92A92 >0) 


gcd 


JBratko 1986» 


gcd(i,i,v) 


0.10 


91 = 92 V(gi > 92 Ag2 > 1) 



• T: termination behaviour, see further. 

One of the less expected results was finding non-terminating examples in Prolog text- 
books. The first one, due to Coelho and Cotta JCoelho and Cotta 19881 . should compute 
an nth power of a number. 

exp{X,0,l)- 

exp{X, Y,Z)^even{Y),Ris Y /2,P is X * X ,exp{P,R,Z)■ 
exp{X,Y,Z)^ T is Y -\,exp{X,T,Z\),Z isZl^X- 

even{ Y) ^ R is Y modi, R = Q- 

The termination condition inferred by our system is false and indeed, this is the only ter- 
mination condition possible, since for any goal G the LD-tree of this program and G is 
infinite. This fact is denoted in Table |3] as N-n. Similarly, the fact that for any goal G the 
LD-tree of the program and G is finite and our system is powerful enough to discover this 
is denoted as T. 
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McDonald and Yazdani suggest the following exercise in their book f McDonald and Yazdani 19901 : 
write a predicate triangle which finds the number of balls in a triangle of base N . For exam- 
ple, for = 4 the number of balls is 4 + 3 + 2+1 = 10. The next program is the solution 
provided by the authors: 

triangle{ 1,1)- 

triangle{N, S)^ M isN-1, triangle{M, R),S isM + R- 

Once more, the termination condition inferred by our system is false, and it is the only 
possible one. 

O'Keefe dO'Keefe 1990> suggested a more efficient way of calculating Fibonacci num- 
bers performing 0{n) work each time it is called, unlike the version of JBuenoetal. 1994> 
that performs an exponential amount of work each time. 

fib{\,X) ^l,X = 1- 
fib(2,X) ^\,X ^ 1- 
fib{N,X)^ N >2,fib{2,N, 1,1, X)- 

fib{N,N,X2,.,X) '-\,X = X1- 

fib{No,N,X2,Xl,X)^ NHsNq+I, 

X3 isX2 + Xl,fib{Nl,N,X3,X2,X)■ 
TeTmination of goals of the form fib(i,v) with respect to this example depends on the cut 
in the first clause of fib/5. If it is removed and if we add at the beginning of the second 
clause Nq ^ N termination can be proved. This fact is denoted T* in Table |3] Note that 
this replacement does not affect complexity of the computation. Observe also that a more 
declarative way to write the program might be to add Nq<N instead of Nq^ N. However, 
while the latter condition can be inferred automatically from the program, it is not clear 
whether this is also the case for the former one. 

6 Further extensions 

In this section we discuss possible extensions of the algorithm presented in Section|3 First 
of all, we discuss integrating termination analysis of numerical and symbolic computations, 
and then show how our results can be used to improve existing termination analyses of 
symbolic computations, such as (.Mesnard 1996..Codish and Taboch 1999J . 

6.1 Integrating numerical and symbolic computation 

In the real-world programs numerical computations are sometimes interleaved with sym- 
bolic ones, as illustrated by the following example collecting leaves of a tree with a variable 
branching factor, being a common data structure in natural language processing ( jPoUard and Sag 1994| i. 

Example 19 



collect{X, [X\L],L) ^ atomic{X) 
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collect[ T, LO, L) ^ compound{ T),functor{ T, A), (3) 

process{T,Q,A,LQ,L)- 
process{., A, A, L, L) ■ 

process{ T, /, A, LO, L2) ^ I < AJl is I + I, arg{n, T,Aig), (4) 
collect{ATg, LQ, LI ),process{ T,n,A,Ll,L2)- 

To prove termination of {coUect{t,v , [])}, where Hs a tree and u is a variable, three de- 
creases should be shown: between a call to collect and a call to process in Q, between a 
call to process and a call to collect in © and between two calls to process in ^ . The first 
two can be shown only by a symbolic level mapping, the third one — only by the numerical 
approach. □ 

Thus, our goal is to combine the existing symbolic approaches with the numerical one 
presented so far One of the possible ways to do so is to combine two level mappings, 
I'll and I • 1 2 by mapping each atom A G Bp either to a natural number | ^4 |i or to a 
pair of natural numbers (| ^4 |i, | j4 I2) and prove termination by estabhshing decreases via 
orderings on (jy; U 5V;^) as suggested in l |Serebrenik and De Schreye 2001^ . 

Example 20 

Example[T9l continued. Define cp : Bp ^ (?v; U9V;^) as follows: (p{collect{t, 10, 1)) = 
(p{process{t, i, a, 10, 1)) = a — i) where || • || is a term-size norm. The decreases are 
satisfied with respect to >, such that Ai > A2 if and only if (p(^i) >~ 9(^2), where >- is 
defined as: n ;^ m, if n >5y- m, n >- {n, m), if true, [n, m\) >~ [n, 7712), if m\ mi and 
{ni,m) >- n2, if rii >5y- 712 and >^ is the usual order on the naturals. □ 

This integrated approach allows one to analyse correctly examples such as ground, unify, 
numbervars ( [Sterling and Shapiro 1994^ and Example 6.12 in (IDershowitz et al. 200 U . 



6.2 Termination of symbolic computations — revised 

A number of modern approaches to termination analysis of logic programs fCodish and Taboch 19991 
liVIesnard 1996 , Mesnard et al. 2002 ) abstract a program to CLP(N) and then infer termina- 
tion of the original program from the corresponding property of the abstract one. However, 
as mentioned in the introduction, techniques used to prove termination of the numerical 
program are often restricted to the identity function as the level-mapping. 

Example 21 

Consider the following example: 

p{X)^ appendix, [.,.,.,.,,_,_,_]), p ( [.| X] ) • 
append{[],L,L) ■ 

append{[H\X], Y ,[H\Z]) ^ append{X , Y,Z)- 
Using the list-length norm, defined as 

r i + p'ii if t^[h\t'] 

1 otherwise 
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the following CLP(rY )-abstraction can be computed: 

p{X) ^appendix, _,l),p{\+X) ■ 
append{0, L, L) ■ 

appendix +X,Y,l + Z)^ append{X , Y, Z)- 

Computing a model for the abstraction of append and transforming the clause for p as 
described by Mesnard (Mesnard 1996,) the following program is obtained: 

p{X)^X<l,p{\+X)- 

Termination of this program cannot be shown by the identity function as a level-mapping. 
Thus, non-termination will be suspected. □ 

Our approach is able to bridge the gap and provide the correct analysis of Example 1211 
Since our results have been stated for numerical computations and not for CLP(5V;) minor 
changes in the abstraction process are required. Instead of replacing a term t in an atom a 
with the size of t, a fresh variable V is introduced. Then, we add a goal V is size{t) before 
a (if a is a body subgoal) or after a (if it is a head of the clause). Next, we replace i in a 
by V, and proceed with the transformation of (IMesnard 1996> . 

Example 22 

Example 12 II continued. Applying the abstraction technique above with respect to the list- 
length norm the following program is obtained: 

p{X) ^ appendix, XI isX + l,p(Xl)- 
append{0, L, L) ■ 

appendiXl, Y , Zl) ^ X I is X + I, Zl is Z + l,appendiX , Y,Z)- 
After computing the models this program is transformed to: 

piX) ^X <7,X1 isX + l,piXl)- 

Termination of pin) with respect to this program can be shown by our approach for any 
integer number n. This implies termination of pit) with respect to the original one for any 
list of finite length t. □ 

To summarise this discussion, we believe that integrating our technique for proving ter- 
mination of numerical computations with CLP(iAt ) abstracting methodologies of JCodish and Taboch 19991 
IMesnard 19961 IMesnard et al. 2002> will significantly extend the class of logic programs 
that can be analysed automatically. 



7 Conclusion 

We have presented an approach to verification of termination for logic programs with in- 
teger computations. This functionality is lacking in current available termination analysers 
for Prolog, such as cTI JMesnard 1996IIMesnard and Neumerkel 2001'!. TerminWeb JCodish and Taboch 1999t . 
and TermiLog ( |Lindenstrauss and Sagiv 1997{ILindenstrauss et al. 1997 ). The main contri- 
bution of this work is threefold. First, from the theoretical perspective, our study improves 
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the understanding of termination of numerical computations, situates them in the well- 
known framework of acceptability and allows integration with the existing approaches to 
termination of symbolic computations. Moreover, our technique can be used to strengthen 
the existing techniques for proving termination of symbolic computations. 

Second, unlike the majority of works on termination analysis for logic programs con- 
cerned with termination verification, we go further and do inference, i.e., we infer condi- 
tions on integer arguments of the queries that imply termination. To perform the inference 
task we apply a methodology inspired by the constraints based approach ( IDecorte et al. 1999l l. 
i.e., we start by symbolic counterparts of level mappings and interargument relations and 
infer constraints on the integer arguments from rigid acceptability condition and validity 
of interargument relations. 

Finally, the methodology presented has been integrated in the automatic termination 
analyser of (> Decorte et al. 1999t . It was shown that our approach is robust enough to prove 
termination for a wide range of numerical examples, including gcd and mod (Dershowit z et al. 200 lb 
all examples appearing in Chapter 8 of ( |Sterhng and Shapiro 1994^ and those appearing 
in ( |Apt 1997l l. 

Termination of numerical computations was studied by a number of authors ( |Apt 1997) 
|Apt et al. 1994|lDers howitz et al. 2001 1. Apt et al. jApt et al. \99A\ provided a declarative 
semantics, so called ©-semantics, for Prolog programs with first-order built-in predicates, 
including arithmetic operations. In this framework the property of strong termination, i.e., 
finiteness of all LD-trees for all possible goals, was completely characterised based on 
an appropriately tuned notion of acceptability. This approach provides important theoret- 
ical results, but seems to be difficult to integrate in automatic tools. In ( [Apt 1997} it is 
claimed that an unchanged acceptability condition can be applied to programs in pure Pro- 
log with arithmetic by defining the level mappings on ground atoms with the arithmetic 
relation to be zero. This approach ignores the actual computation, and thus, its applica- 
bility is restricted to programs using arithmetic but whose termination behaviour is not 
dependent on their arithmetic part, such as quicksort. Moreover, there are many programs 
that terminate only for some queries, such as Example 1171 Alternatively, Dershowitz et 
al. JDershowitz et al. 200 U extended the query-mapping pairs formalism of ( P^indenstrauss and Sagiv 1997| l 
to deal with numerical computations. However, this approach inherited the disadvantages 
of ( |Lindenstrauss ancTSagiv 1997 1, such as high computational price, inherent to this ap- 
proach due to repetitive fixpoint computations. Moreover, since our approach gains its 
power from the underlying framework of (^ Decorte et al. 1999l l. it allows one to prove ter- 
mination of some examples that cannot be analysed correctly by dPershowitz et al. 2001> . 
similar to confused delete (^Decorte et al. 1999 1. 

More research has been done on termination analysis for constraint logic program- 
ming JColussi et al. 19951 IMesnard 19961 |Ruggieri 1997| . Since numerical computations 
in Prolog should be written in a way that allows a system to verify their satisfiability we can 
see numerical computations of Prolog as an ideal constraint system. Thus, all the results 
obtained for ideal constraints systems can be applied. Unfortunately, the research was ei- 
ther oriented towards theoretical characterisations fRuggi eri 1997| l or restricted to domains 
isomorphic to ( Mesnard 1996 ) , such as trees and terms. 

In a contrast to the approach of (IDershowitz et al. 200 U that was restricted to verifying 
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termination, we presented a methodology for inferring termination conditions. It is not 
clear whether and how (Dershowitz et al. 2001 1 can be extended to infer such conditions. 

Numerical computations have been also analysed in the early works on termination 
analysis for imperative languages ( |Floyd 1967|IKatz and Manna 191 5). considering, as we 
have already pointed out in Section 1, general well-founded domains. However, our ap- 
proach to automation differs significantly from these works. Traditionally, the verification 
community considered automatic generation of invariants ( Bj0 rneretal. 1997) , while auto- 
matic generation of ranking functions (level mappings, in the logic programming parlance) 
just started to emerge ( Colon and Sipma 2001 , Colon and Sipma 2002| i. The inherent re- 
striction of the latter results is that ranking functions have to be linear. Moreover, in order 
to perform the analysis of larger programs, such as mergesort, in a reasonable amount of 
time, authors further restricted the ranking functions to depend on one variable only. Unlike 
these results, our approach doesn't suffer from such limitations. 

The idea of splitting a predicate into cases was first mentioned by UUman and Van 
Gelder ( Ullm an and Van Gelder 1988t . where existence has been assumed of a preproces- 
sor that transformed a set of clauses to the new set, in which every subgoal unifies with all 
of the rules for its predicate symbol. However, neither in this paper, nor in the subsequent 
one ( JSohn and Van Gelder 1 991 1) the methodology proposed was presented formally. To 
the best of our knowledge the first formal presentation of splitting in the framework of 
termination analysis is due to Lindenstrauss et al. ( Lindenstrauss et al. 1998 1. Unlike these 
results, a numerical and not a symbolic domain was considered in the current paper. 

The termination condition inferred for ExamplellVlis optimal, i.e., it is implied by any 
other termination condition. Clearly, undecidability of the termination problem implies 
that no automatic tool can always guarantee optimaUty of the condition inferred. How- 
ever, verifying if the condition inferred is optimal seems to be an interesting question, re- 
lated to looping analysis dBol 1991l|De Schreye et al. 1990|IShenT997llShen et al. 20011 
ISkordev 'l997 i. So far, in the context of logic programming, optimality of termination con- 
ditions inferred has been studied by Mesnard et al. dMesnard et al. 20021 only for symbolic 
computations. 
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